Cybersecurity and Reputation in 2026: Surfing into the Wave
While we’re well past Larry David’s threshold to wish “Happy New Year,” 2026 is still fresh and there will be some trends communications leaders should be very prepared for as cybersecurity and corporate reputation continues to be more firmly intertwined. What’s more, these trends are evolving quickly and in a way that should make most PR leaders question assumptions they’ve made for cybersecurity-related communications even just a few years ago.
We’ll likely find the organizations that emerge with their reputations intact—or even enhanced in some cases—are those that recognize a simple truth. Specifically, that in the age of growing and ever-present cybersecurity threats, your communication strategy is nearly as important as your firewall configuration.
The Trends
Show Your Work, Not Just Your Confidence: Soon it will no longer be enough to simply say your products or services are “secure,” you need to demonstrate it with specificity and honesty. This means highlighting the good with the bad and providing meaningful detail about your offerings. Companies like Anthropic are leading the way by openly discussing safety concerns with their AI models, while Amazon has been transparent about potentially malicious activity it has detected and mitigated in its network. The market is rewarding this kind of candor because it builds credibility and ultimately trust. Security is a journey, not a destination, so no one expects their security vendor to have a perfect record. They do expect them to quickly and effectively address vulnerabilities.
Supply Chain Security as a Diplomatic Balancing Act: Supply chain security is already a fundamental area of corporate risk, but it is likely to continue to grow as cybercriminals become more creative and effective in exploiting vendors across corporate supply chains. Because these types of issues have only grown in frequency and impact, the way in which organizations communicate to core stakeholders about them will also need to change in 2026. The line between accountability and “throwing suppliers under the bus” is beginning to grow very blurry and will depend even more on the facts on the ground in the coming year. Moving forward, organizations should approach communications related to these situations with considerable nuances. Letting the facts of the matter drive the narrative rather than reflexive blame-shifting that could backfire with partners and customers alike if pre-packaged approaches are applied.
The Race to Disclosure Amidst a Sea of Data Extortion Attacks: Bad actors are doubling down on data theft and extortion rather than deploying traditional ransomware. In this environment, companies need to realize they aren’t alone—and many who are targeted actually stand out in a positive way if they choose not to pay and instead disclose the issue before the bad actors. Speed and a degree of transparency can transform a potential reputation crisis into a demonstration of organizational integrity. This trend also extends beyond data extortion attacks. In recent years, many companies received positive feedback for proactively disclosing security issues early when they pose an immediate threat or have immediate impacts on users, even when not legally required to do so.
Reputation in the Age of Hacking Back: In the geopolitical West, and particularly in the U.S. of late, state-backed offensive cyber action and overall aggressiveness—including “hacking back” and hawkish, nationalistic perspectives—is gaining momentum. Brands operating in this sphere directly or tangentially face complex decisions. Specifically, how do you want to position your organization in this increasingly militarized cyber domain while protecting your reputation? Also, how that decision will need to be framed and communicated in a way that aligns with their existing brand reputation or the trajectory they want their reputation to take.
It’s Past Time to Stop Saying, “We take security seriously:” Using that phrase increasingly carries with it a subtext that suggests you’re simply cutting and pasting what everyone else says and in fact do not take security “seriously.” Furthermore, for a while it has also underscored a lack of authentic engagement with the issue for press, but increasingly with other important stakeholders, which can undermine trust with your key audiences as opposed to building trust.
The Bottom Line
The companies that will thrive in 2026’s cybersecurity landscape won’t necessarily be those that never experience incidents. They’ll be the ones that communicate about them with honesty, speed and strategic clarity. Reputation is no longer built on projecting invulnerability; it’s earned through demonstrating resilience, accountability and respect for those who trust you with their data.
Your security posture and communication strategy are now inseparable. Make sure they’re both ready.
Scott Radcliffe is FleishmanHillard’s global director of cybersecurity, leading the firm’s Cybersecurity Center of Excellence and advising clients on rising cyber risks. He recently rejoined FH from Apple, where he led cybersecurity communications and previously served as the agency’s senior global data privacy and security expert.
